Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search auto-cancelled

hema_5757
Observer
‎03-19-2025 05:45 AM

Hi All,

I have following Query 

index=wineventlog
|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S") |eval device_name = lower(Workstation_Name)|dedup device_name | table _time user device_name src_nt_host action ComputerName host SourceName Account_Name Security_ID Logon_Type TaskCategory Type app eventtype product vendor vendor_product Account_Domain dest dest_nt_domain dest_nt_host Error_Code EventCode EventType name source SourceName sourcetype src src_domain src_ip src_nt_domain src_port Virtual_Account LogName Logon_GUID Impersonation_Level

on Yesterday time filter

This search takes more than one hour and when I use this query to output search It process till 60% and then it is giving error like search auto-cancelled. Is there any way that we can handle time for processing this query. or how can I get data in other ways. 

 

If I give shorted timeframe like last 60 min time takes almost 5 min and I can get data. Please suggest.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-19-2025 06:28 AM

Hi @hema_5757 ,

your search is very long, so the only way to avoid timeouts like your is to send the job in background [Job > Send Job to background].
eventually adding an email to receive the completion of the job.

Then remember that you have the limit of 10,000 results, so maybe it's better to use more filters if you have too many results.

Ciao.

Giuseppe

0 Karma
Reply

hema_5757
Observer
‎03-19-2025 06:41 AM

The Search process around 8K results in 400M events 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-19-2025 06:44 AM

Hi @hema_5757  did you see my response with other options under the other reply?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-19-2025 06:26 AM

Hi @hema_5757 

There could be a number of reasons your search is auto-cancelling:

1) The SH does not have enough RAM. Can you confirm how much RAM the SH has, and how much is free during the search?

2) Certain savedsearches.conf properties can affect the amount of time and/or number of results that might return (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf) such as:

 

dispatch.max_count = <integer>
* The maximum number of results before finalizing the search.
* Defaults to 500000.

dispatch.max_time = <integer>
* Indicates the maximum amount of time (in seconds) before finalizing the
  search.
* Defaults to 0.

dispatch.auto_cancel = <integer>
* Specifies the amount of inactive time, in seconds, after which the job
  is automatically canceled.
* 0 means to never auto-cancel the job.
* Default: 0

 

Please review these in your environment to see if this could be impacting.

3) Workload management (WLM) - Are your searches subject to WLM policies?

4) Check the job inspector, if you look at the search.log from within the job inspector for things like cancel/fail/error etc and see if there is more information that you can share with us it might help investigate further.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...